CVE-2019-0612

MEDIUM

Microsoft Edge - Security Feature Bypass via Click2Play Flash Handling

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-0612. PoCs published by Google Security Research.

AI-analyzed exploit summary This exploit bypasses Flash click2play in Microsoft Edge by manipulating the CObjectElement::FinalCreateObject logic to load a Flash object without user interaction. It leverages a race condition and document state manipulation to bypass security checks.

Description

A security feature bypass vulnerability exists when Click2Play protection in Microsoft Edge improperly handles flash objects. By itself, this bypass vulnerability does not allow arbitrary code execution, aka 'Microsoft Edge Security Feature Bypass Vulnerability'.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Google Security Research · textdoswindows

https://www.exploit-db.com/exploits/46569

View Code ZIP pw:eip

This exploit bypasses Flash click2play in Microsoft Edge by manipulating the CObjectElement::FinalCreateObject logic to load a Flash object without user interaction. It leverages a race condition and document state manipulation to bypass security checks.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Racy

Target: Microsoft Edge on Windows 10 64bit v 1809

No auth needed

Prerequisites: Flash plugin installed · Microsoft Edge with specific version

MITRE ATT&CK

T1221 - Template Injection

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Patch, Vendor Advisory x_refsource_confirm

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0612

Scores

CVSS v3 5.3

EPSS 0.1051

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Details

Status published

Products (1)

microsoft/edge

Published Apr 08, 2019

Tracked Since Feb 18, 2026